Website Recon

Other information you can get from the website

Basic Information

Check the SSL certificate for more information.

It could contain other subdomains.

Run whatweb to gain information about the target

$ whatweb -v -a http://SERVER:PORT

$ ffuf -w directory_wordlist:FUZZ -u http://SERVER:PORT/FUZZ

$ ffuf -w extension_wordlist:FUZZ -u http://SERVER:PORT/indexFUZZ

$ ffuf -w content_wordlist:FUZZ -u http://SERVER:PORT/blog/FUZZ.php

$ ffuf -w subdomain_wordlist:FUZZ -u https://FUZZ.SERVER:PORT/

$ ffuf -w subdomain_wordlist:FUZZ -u http://SERVER:PORT/ -H 'Host: FUZZ.SERVER:PORT' -fs xxx

$ ffuf -w param_wordlist:FUZZ -u http://SERVER:PORT/admin.php?FUZZ=key -fs xxx

$ ffuf -w param_wordlist:FUZZ -u http://SERVER:PORT/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

$ ffuf -w value_wordlist:FUZZ -u http://SERVER:PORT/admin.php?id=FUZZ -fs xxx

$ ffuf -w value_wordlist:FUZZ -u http://SERVER:PORT/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

$ ffuf -w JHADDIX_LFI:FUZZ -u http://SERVER:PORT/admin.php?page=FUZZ -fs xxx

$ ./search_censys.py -d victim.com

$ ./dnsrecon.py -d victim.com -t brt -D subdomains-top1mil.txt

If you have many URLs to go through, instead of manually visiting them, you can take screenshots of the websites instead for a quick review

$ webscreenshot -i urls.txt

Last updated 2 years ago